Scylla x86-x64 is a tool that is used to rebuild the import table.
In Malware Analysis, to analyze a previously packed sample dumping the OEP of the process is not enough, it then needs the import table to be fixed for the disassembler or debugger to identify its imported modules.
You can follow this project through Github: Click Me!
OllyDumpEx is a process memory dumper used for OllyDbg and Immunity Debugger.
In Malware Analysis, this tool is used to dumped the original entry point of the process to ignore the populated code done by a packer.
Immunity Debugger is a powerful new way to write exploits, analyze malware, and reverse engineer binary files. It builds on a solid user interface with function graphing, the industry’s first heap analysis tool built specifically for heap creation, and a large and well supported Python API for easy extensibility.
Learn more: Click Me!
OllyDbg is an x86 debugger that emphasizes binary code analysis, which is useful when source code is not available. It traces registers, recognizes procedures, API calls, switches, tables, constants and strings, as well as locates routines from object files and libraries.
The Interactive Disassembler(IDA) is a disassembler for computer software which generates assembly language source code from machine-executable code. It supports a variety of executable formats for different processors and operating systems. It can also be used as a debugger for Windows PE, Mac OS X Mach-O, and Linux ELF executable. A decompiler plug-in for programs compiled with a C/C++ compiler is available at extra cost.
IDA performs automatic code analysis, using cross-references between code sections, knowledge of parameters of API calls, and other information.
source: https://en.wikipedia.org/wiki/Interactive_Disassembler
DriverView is a tool derives from the name itself where let the user to view the drivers installed inside the system.
FakeNet-NG is a tool that can be used as network simulator. This tool can let you observe the network activity of the sample you are analyzing that is connecting outside your isolated environment. It also logs a pcap file after and can be found inside the FakeNet directory.
Using FakeNet as a network simulator can give us rich information. It also generates a pcap file inside the FakeNet directory when the executable is terminated.
In our sample, FakeNet logs the http communication of a sample connecting outside the environment, and this artifact can be used as a network based IOC.
GMER is a rootkit detection tool let you view the hooking executable and the hooked function inside the system.
GMER can give us details about the name of the executable that performs the hooking and the module it hooks.
In our sample, GMER detects a Win32.AgentTesla.exe[2820] hooks user32.dll’s GetKeyboardState API.
Agent Tesla is a known variant of information-stealing malware.
RegShot is a tool that let you take a clean snapshot of a registry that can be used later for comparison after the malware sample is executed. This can reveal information about the changes in the registry, particularly when the malware modifies registry keys to persist on the system.
Ring3 API Hook Scanner by NoVirusThanks.org that is gmer a like and detects API Hooking inside the kernel. This tool logs the executable responsible for hooking and the the API that is being hooked.
The Ring3 API Hook Scanner has a set of categories.
One is the one who owns or hooks the API module.
The other is the API name.
In our case, the image below shows how Ring3 detects Win32.AgentTesla.exe hooks DeleteFileW API.
⚠️ YOU ARE TRYING TO DOWNLOAD A FILE THAT CONTAINS MALICIOUS EXECUTABLE ⚠️
eyehatemalwares is “PAY WHAT YOU CAN” project.
The zip file associated with this lab is password protected.
For hands-on experience, click the “Donate” button and you will be redirected to eyehatemalwares Paypal donation homepage or scan the QR Code below.
Click the “Download” button again to download the lab zip file.
After successful donation, email us the zip file name and the Paypal transaction details for the password.
Thank you for helping us build this community!
We will make sure that your donation will be use to bring more value to the community.
Contact us: About
– EHM Team